Configure the Sinkhole IP Address to a Local Server on Your Network

Configure the sinkhole interface and zone.
Traffic from the zone where the client hosts reside must route to the zone where the sinkhole IP address is defined, so traffic will be logged.
Use a dedicated zone for sinkhole traffic, because the infected host will be sending traffic to this zone.
Select
Network
Interfaces
and select an interface to configure as your sinkhole interface.
In the
Interface Type
drop-down, select
Layer3
.
To add an IPv4 address, select the
IPv4
tab and select
Static
and then click
Add
. In this example, add 10.15.0.20 as the IPv4 DNS sinkhole address.
Select the
IPv6
tab and click
Static
and then click
Add
and enter an IPv6 address and subnet mask. In this example, enter fd97:3dec:4d27:e37c::/64 as the IPv6 sinkhole address.
Click
OK
to save.
To add a zone for the sinkhole, select
Network
Zones
and click
Add
.
Enter zone
Name
.
In the
Type
drop-down select
Layer3
.
In the
Interfaces
section, click
Add
and add the interface you just configured.
Click
OK
.
Enable DNS sinkholing.
By default, sinkholing is enabled for all Palo Alto Networks DNS signatures. To change the sinkhole address to your local server, see Step 2 in Configure DNS Sinkholing for a List of Custom Domains.
Edit the security policy rule that allows traffic from client hosts in the trust zone to the untrust zone to include the sinkhole zone as a destination and attach the Anti-Spyware profile.
Editing the Security policy rule(s) that allows traffic from client hosts in the trust zone to the untrust zone ensures that you are identifying traffic from infected hosts. By adding the sinkhole zone as a destination on the rule, you enable infected clients to send bogus DNS queries to the DNS sinkhole.
Select
Policies
Security
.
Select an existing rule that allows traffic from the client host zone to the untrust zone.
On the
Destination
tab,
Add
the Sinkhole zone. This allows client host traffic to flow to the sinkhole zone.
On the
Actions
tab, select the
Log at Session Start
check box to enable logging. This will ensure that traffic from client hosts in the Trust zone will be logged when accessing the Untrust or Sinkhole zones.
In the
Profile Setting
section, select the
Anti-Spyware
profile in which you enabled DNS sinkholing.
Click
OK
to save the Security policy rule and then
Commit
.
To confirm that you will be able to identify infected hosts, verify that traffic going from the client host in the Trust zone to the new Sinkhole zone is being logged.
In this example, the infected client host is 192.168.2.10 and the Sinkhole IPv4 address is 10.15.0.20.
From a client host in the trust zone, open a command prompt and run the following command:
C:\>
ping 
<sinkhole address>
The following example output shows the ping request to the DNS sinkhole address at 10.15.0.2 and the result, which is
Request timed out
because in this example the sinkhole IP address is not assigned to a physical host:
C:\>
ping 10.15.0.20
Pinging 10.15.0.20 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 10.15.0.20:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
On the firewall, select
Monitor
Logs
Traffic
and find the log entry with the Source 192.168.2.10 and Destination 10.15.0.20. This will confirm that the traffic to the sinkhole IP address is traversing the firewall zones.
You can search and/or filter the logs and only show logs with the destination 10.15.0.20. To do this, click the IP address (10.15.0.20) in the
Destination
column, which will add the filter (addr.dst in 10.15.0.20) to the search field. Click the Apply Filter icon to the right of the search field to apply the filter.
Test that DNS sinkholing is configured properly.
You are simulating the action that an infected client host would perform when a malicious application attempts to call home.
Find a malicious domain that is included in the firewall’s current Antivirus signature database to test sinkholing.
Select

Device

Dynamic

Updates

and in the

Antivirus

section click the

Release Notes

link for the currently installed antivirus database. You can also find the antivirus release notes that list the incremental signature updates under Dynamic Updates on the Palo Alto Networks support site.

In the second column of the release note, locate a line item with a domain extension (for example, .com, .edu, or .net). The left column will display the domain name. For example, Antivirus release 1117-1560, includes an item in the left column named "tbsbana" and the right column lists "net".

The following shows the content in the release note for this line item:

conficker:tbsbana	1
variants: net
From the client host, open a command prompt.
Perform an NSLOOKUP to a URL that you identified as a known malicious domain.
For example, using the URL
track.bidtrk.com:
C:\>
nslookup
	track.bidtrk.com
	Server: my-local-dns.local
	Address: 10.0.0.222
	Non-authoritative answer:
	Name: track.bidtrk.com.org
	Addresses: fd97:3dec:4d27:e37c:5:5:5:510.15.0.20
In the output, note that the NSLOOKUP to the malicious domain has been forged using the sinkhole IP addresses that we configured (10.15.0.20). Because the domain matched a malicious DNS signature, the sinkhole action was performed.
Select
Monitor
Logs
Threat
and locate the corresponding threat log entry to verify that the correct action was taken on the NSLOOKUP request.
Perform a ping to
track.bidtrk.com
, which will generate network traffic to the sinkhole address.